Introduction

A feature not widely used by Exchange administrators is Litigation Hold which was introduced in Exchange 2010 RTM. In some cases, there may be no need or regulatory requirement to implement it but, there are instances where users do not implement it due to lack of understanding of what exactly Litigation Hold is and how it differs from Single Item Recovery and Retention Hold.

Litigation is, simply put, the conduct of a lawsuit. When an employee or an organization faces a lawsuit or even expects one, it is required to keep all information related to the case, whether this is information on paper or most commonly, electronically stored. If all relevant information is not kept, the subject of the lawsuit might undergo further legal action, sanctions or fines.

Nowadays e-mail plays a very important role in these situations due to its vast use and it is crucial to keep every single e-mail message related to the case. But how do you prevent users from advertently or inadvertently deleting e-mails needed for the investigation? What about Messaging Records Management [MRM]? Do you just temporarily disable it for all your Exchange databases? This is where Litigation Hold comes in, allowing administrators to easily:

Preserve deleted or edited mailbox items (by users);

Preserve automatically deleted mailbox items (by MRM);

Search and capture items placed on hold;

All of this is easily achieved my simply placing a mailbox on Litigation Hold as we will see below.

How does it Work?

To learn how Litigation Hold works, we first need to talk about a feature that Exchange 2010 also introduced (or better yet, improved) called Recoverable Items folder (previously known as the Dumpster) to protect against accidental or malicious deletion of mailbox items and to help with eDiscovery. This special folder, which resides in the non-IPM sub tree of each mailbox (a storage area that contains operational data about the mailbox), is used by the following Exchange features:

Deleted Item Retention;

Single Item Recovery;

Litigation Hold;

Mailbox Audit Logging.

Under this folder, there are 4 subfolders:

Deletions, which contains all mailbox items deleted from the Deleted Items folder and is exposed to users through the Recover Deleted Items feature in Outlook and Outlook Web App [OWA];

Versions, which if Litigation Hold or Single Item Recovery is enabled, contains the original and modified copies of the items. This folder is not visible to end users;

Purges, which if Litigation Hold or Single Item Recovery is enabled, contains all items that were hard deleted from the Deletions folder. This folder is not visible to end users;

Audits, which if Mailbox Audit Logging is enabled for a mailbox, contains the audit log entries.

Figure 1.1: Location of the Recoverable Items folder seen using MFCMapi

Items in the Recoverable Items folder are kept for the deleted item retention period configured on the user's mailbox database, which is 14 days by default. If a mailbox is not placed on Litigation Hold, items are permanently purged from the Recoverable Items folder when the item has remained in the folder where it resides for longer than the deleted item retention period.

If, however, the mailbox is on Litigation Hold, every item is kept:

If a user deletes an item from the Deleted Items folder or shift-deletes it from any folder (soft delete), the item is moved to Recoverable Items\Deletions folder, where it can be recovered using the Outlook and OWA Recover Deleted Items view;

If the user purges data from the Recover Deleted Items view (hard delete from the Recoverable Items\Deletions folder), the item is moved to the Recoverable Items\Purges folder;

If a user modifies an item, a copy of the original item is placed in the Recoverable Items\Versions folder, by a process called copy-on-write page protection.

The following diagram shows how this process works when a mailbox is on Litigation Hold (or enabled for Single Item Recovery for that matter):

Figure 1.2: How items are preserved

When a mailbox is on Litigation Hold, items in the Deletions subfolder are moved to the Purges subfolder after 14 days, preventing users from knowing their mailbox is on Litigation Hold, but are never purged from this folder!

So what changes trigger this copy-on-write page protection process? The following table demonstrates which properties of a message trigger it when modified:

Item

Properties that trigger copy-on-write

Messages or Posts

Subject

Body

Attachments

Sender and Recipients

Sent and Received Dates

Other items other than Messages or Posts

Any change to a visible property, except:

When an item is moved between folders

Item status change (read or unread)

Changes to a retention tag applied to an item

Draft items and RSS feeds

None. These items are exempt from copy-on-write page protection

Table 1.1: Mailbox item properties that trigger copy-on-write

Placing a Mailbox on Litigation Hold

Note:To place a mailbox on Litigation Hold, you need to be assigned the Discovery Management or Legal Hold role-based access control role by using the Exchange Control Panel or running the following cmdlet:

Add-RoleGroupMember “Discovery Management” -Member <user>

If you are running Exchange 2010 RTM, you have to use the Exchange Management Shell [EMS] with the Set-Mailbox cmdlet to place a mailbox on Litigation Hold as we will see below. With SP1 and above, you can also use the Exchange Management Console [EMC] or the Exchange Control Panel [ECP]. All three methods achieve the same result, so it’s up to the administrator which one to use. Let’s have a look at all of them:

Exchange Management Console

In the console tree, navigate to Recipient Configuration and then Mailbox;

Find the mailbox you want to place on Litigation Hold and go to its Properties;

Enter a URL to a webpage or document with more information about the Litigation Hold for the user. This URL is displayed in the Backstage area of Microsoft Outlook 2010 as you can see from Figure 1.4;

Enter some text that you also want displayed in Outlook.

Both these options will help users understand why their mailbox is on Litigation Hold and what it means from a users’ perspective. If you do not use them, users will not know their mailbox is on Litigation Hold, which might be useful in some situations.

Note:This text and URL do not appear in Outlook Web App or any other mail client, only Outlook 2010 as part of Office 2010 Professional Plus!

Exchange Control Panel

In the ECP, select Manage My Organization, Users & Groups and then Mailboxes;

Select the mailbox to put on Litigation Hold and click Details;

Under Mailbox Features, select Litigation Hold and click Enable;

As in the EMC, you can configure text and a URL to be displayed in Outlook;

Click OK and then Save;

Click Close.

Figure 1.5: Enabling mailbox for Litigation Hold using the ECP

You can also run a Litigation Hold report from the ECP to check which users have had Litigation Hold enabled or disabled for their mailbox. To run it, go to the ECP -> Manage My Organization -> Roles & Auditing > Auditing > Run a Litigation Hold report...

Figure 1.6: Litigation Hold Report

Exchange Management Shell

With the EMS there are 5 parameters that can be used:

LitigationHoldEnabled which when set to $True places the mailbox on Litigation Hold and when set to $False removes it from Litigation Hold;

LitigationHoldDate specifies the date when the mailbox is placed on Litigation Hold. This parameter is populated automatically but it can also be manually set for informational or reporting purposes. Note that the mailbox is placed on Litigation Hold when the cmdlet is run no matter what date you put in!

LitigationHoldOwner specifies who placed the mailbox on Litigation Hold. This parameter is also populated automatically but it can be used for informational and reporting purposes;

RetentionComment is the informational text users will see in Outlook;

RetentionUrl is the URL users will see in Outlook.

Figure 1.7: Enabling mailbox for Litigation Hold using the EMS

Conclusion

In this first part of this article, we looked at what Litigation Hold is, how it works and how to enable it. In the second and final part we will talk about if it impacts backups, the limit quota that is set on the Recoverable Items folder and how Litigation Hold differs from Single Item Recovery and Retention Hold.

Featured Links

Office 365 CON 2015

Registration is now open for Office 365 CON 2015, an annual gathering of IT Strategists, Domain Experts and Microsoft MVPs, presenting the latest technologies, challenges and solutions facing the Exchange and Office 365 community of professionals.

Join Michael Osterman from Osterman Research as he kicks-off the conference by sharing his insights into recent trends and challenges obtained through survey research within the Office 365 and Exchange user communities.

Following the kick-off presentation, you can choose from multiple breakout focus sessions, including:

Online Survey: The Definitive State of Load Balancing and High Availability

MSExchange.org, KEMP Technologies and numerous MSFT and VMware experts worldwide would like to invite you to participate in our confidential 6 question survey on Load Balancing and High Availability. This survey takes about 6 minutes and all participants who wish can leave their email address and register to win a $50 Amazon gift certificate.

The results of this survey will be used to create a white paper on the State of Load Balancing. Everyone who registers will also get a copy of the white paper.

Exchange Online Protection Quarantine (Part 2)

In the first part of this article series, we had a look at the Quarantine feature of Exchange Online Protection. We saw what it is, how to enable it and how administrators can search for and find quarantined emails. It is now time to see how administrators can release quarantined emails and report them as false positives if necessary... Read More

In this part 22, we will continue where we left off in part 21. More specifically, we will configure directory synchronization between our Active Directory forest and our Azure Active Directory tenant... Read More